Is chloepark85/errand-ai safe?

The reviewSubmission() function releases cryptocurrency payments to gig workers when the agent calls it with approved:true. The natural language pattern '/approve\s+submission\s+(\w+)/i' means any conversational phrase containing 'approve submission ' will immediately trigger an irreversible payment API call. An attacker who can influence the agent's conversation (e.g., via prompt injection in fetched content, malicious errand descriptions from the API, or social engineering) could cause the agent to approve fraudulent submissions and drain the user's USDC balance.

ERRANDAI_API_URL defaults to api.errand.be but is fully overridable via environment variable or OpenClaw config yaml. An attacker with write access to the OpenClaw config file (which is in the user's home directory) could redirect all API calls to an attacker-controlled HTTPS server. Every subsequent API call would transmit the ERRANDAI_API_KEY in plaintext X-API-Key headers, plus all errand content, user identifiers, and channel metadata. This is a persistent post-install attack surface that survives the initial audit.

errand.title, errand.status, submission.status, and submission.validation_score fields from the errand.be API are string-interpolated directly into markdown response messages that are returned to the agent. If errand.be (or a malicious server pointed to by a modified ERRANDAI_API_URL) returns errand/submission text containing LLM prompt injection payloads (e.g., 'IGNORE PREVIOUS INSTRUCTIONS...'), those instructions would be executed in the agent's context. This is an indirect prompt injection via third-party data.

The postErrand() function includes user.id (the agent's user identifier) and context.channel (the channel/interface being used) in the metadata object sent to api.errand.be with every errand creation request. This enables the errand.be platform to build a profile of when and how the user is interacting with their AI agent, which channel they use, and how often they post errands. No disclosure of this data collection is presented to the user.

All four skill commands (postErrand, checkErrand, listErrands, reviewSubmission) execute external API calls immediately upon intent detection with no user confirmation step. For errand posting (which spends USDC) and submission review (which releases USDC), a misunderstood or misinterpreted command could cause unintended financial expenditure. The skill's own JavaScript has no built-in rate limiting or daily spend cap.

errandai.skill.js requires the axios npm package at runtime via CommonJS require(). The skill does not bundle axios or pin a specific version. If the host environment has a compromised or outdated axios version (e.g., via a supply chain attack on npm), the skill's HTTP calls could be intercepted or modified. No package-lock.json or integrity hash is included with the skill.

The install process clones the monorepo main branch at HEAD and checks out the skill subdirectory. While the _meta.json references a specific commit hash (2b92afd1c2848b88b25d2d7f4ce8fe140d19f6f1), the install script does not verify the checkout matches this hash. A monorepo maintainer could push malicious changes to the skill path and any subsequent reinstall would silently pick them up.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) appear in file access syscalls at two timestamps: 1771737223 (pre-install baseline scan) and 1771737239 (post-install integrity verification). Both access windows are consistent with audit framework operation and occur outside the install window (1771737228-1771737235). The skill's JavaScript was not executed during the audit. All canary files confirmed intact with no modifications.